, *
** **
,* ,********* ,*
**********************.
*****************************
,*********************************
.****** ****************. *******
****************************************
,*****************************************
*******************************************
,*****, ,******************************************* ******.
********* ,******************************************* ,*********
********* ,******************************************* **********
********* ,******************************************* **********
********* ,******************************************* **********
********* ,******************************************* **********
********* ,******************************************* **********
********* ,******************************************* **********
********* ,******************************************* **********
********* ,******************************************* **********
********* ,******************************************* ********,
.***. ,******************************************* ,**,
,*******************************************
,*******************************************
.*******************************************
********** *********
********** *********
********** *********
********** *********
********** *********
******** ,*******,
This was an Android reversing challenge from the DefCamp CTF 2020 rated with 50 points. The description said:
This should rock your life to the roots of your passwords.
Flag format: CTF{sha256}
They give us an apk so my first approach was to execute it to see how it worked. I connected my phone to my PC, enabled USB debugging under the developer options in my phone and installed it.
This is how the app looks:
It shows an input and when we hit Submit, it does nothing. Okay, that doesn’t help us a lot. So let’s get the contents of the apk.
For that, we are going to use apktool which is used for reversing Android applications. (I’m not covering the installation process because it’s already on the page.)
We run it with d to decompress the app into a folder with the same name:
This is what the program generates:
The original Java/Kotlin files are converted to smali files which are a bit different. We found a lot of packages and classes inside the smali folder:
When looking for the flag directly inside the classes we don’t get any match. So, let’s take another road. Let’s find out what’s being executed when we access the application. If there is an input field maybe we could get something there.
First, let’s find out what’s the apk package name. Go to the AndroidManifest.xml file and there we can see an xml tag with the package name:
Let’s go back to the phone and adb. Open the application and get a shell inside the phone using the shell command:
Now, let’s use the command dumpsys window windows to get information about the open apps and we can use grep to filter by using the package name:
So we found the Activity name, org.kivy.android.PythonActivity. Now we know we have to search inside that package. Back to the code!
We start to look inside the kivy folder, searching for something interesting inside the PythonActivity.smali. Inside the onCreate function we notice something at the end.
Inside the file PythonActivity$UnpackFilesTask I found it’s actually delegating the task to PythonActivityUtil:
Let’s take a look at that function:
Looks like it’s actually unpacking something here. It does a lot of things here but looking at the strings used we find something:
So it’s unpacking something from an .mp3? Let’s check that. Apktool also unpacks the assets inside an ‘assets’ folder. There is a private.mp3 file. That matches what we saw inside that function, right?
Let’s check with file:
That’s definitely not an mp3 file. Let’s decompress it with tar:
And a bunch of files and folders are created:
We can start by checking main.py (I mean, it’s the main. Makes sense):
We can see an auth function. That looks promising. It looks like it’s returning the contents of U if it succeeds. Let’s clean that up.
Remove all the parts that are related to Android so we get an executable python file. That means deleting the import from kivy, the self.root accesses, the z.text and then moving the auth function outside the Main class and delete Main.
(As you can see the U it’s only affected by g, which is just a bunch of bytes and the functions used also doesn’t use any of that so we can delete all of that without worrying.)
This is the final file:
So let’s add a print to that auth function to check the contents of U. Execute it:
And there is the flag!